Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and..<\/b>
Cloudflare revealed yesterday that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare\u2019s millions of clients, and it\u2019s possible that personal data such as passwords and cookies leaked from many client websites during the five months before the bug was discovered and reported by Tavis Ormandy, a Google researcher.
Unfortunately, it\u2019s still not entirely clear how many Cloudflare customers were affected by the bug. The leaked data was cached by search engines in some cases, making the clean-up of the leak a difficult process. Although Google, Yahoo, Bing and other search engines worked to scrub the data before Cloudflare publicly disclosed the bug, researchers reported today that they were still finding samples of leaked data in search engine caches.
\u201cYou can still find random authentication cookies for sites affected by #CloudBleed with a simple Google search\u2026 and they work,\u201d Hector Martin, a security researcher, tweeted . (The Cloudflare incident has earned the nickname CloudBleed after being compared to the HeartBleed vulnerability.) Martin discovered an authentication cookie for a financial website, Motherboard reported. The cookie would allow an attacker to log in to the site without a password, posing as a regular user.
Given that sensitive data is still floating around in search engine caches, it\u2019s a good idea to reset your account passwords and enable two-factor authentication. You should also use a password manager to generate unique passwords for the websites you visit.
Cloudflare hasn\u2019t uncovered any evidence that the bug was discovered by anyone other than Ormandy \u2014 but it never hurts to refresh your passwords, particularly since they might still exposed in a cache.
Users can\u2019t clean up the mess all by themselves. Because the leak included not just passwords but cookies and authentication tokens, website administrators will need to take action too.
It might be a good idea for sites that use Cloudflare to issue a forced password reset to their users and revoke authentication credentials for mobile apps. (Some Cloudflare customers, like Creative Commons and Bugcrowd , are already doing this.)
Security researcher Ryan Lackey points out that, for some sites, a password reset might not be worth the loss of trust that it can provoke in consumers. \u201cIt doesn\u2019t appear large numbers of credentials have been compromised, so for a consumer service with limited risk to compromised accounts, it may not be worth the effort. For administrator credentials, or for any sites processing highly sensitive information through Cloudflare, the lack of a quantifiable maximum exposure probably means it is worth forcing a password update,\u201d Lackey wrote in a Medium post.
You can check out a list of Cloudflare customers to see if websites you use might be affected by the leak \u2014 but keep in mind that not all of Cloudflare\u2019s clients were affected. Because of the way Cloudflare\u2019s code was configured, the leak was at its worst for less than a week, when 1 in every 3,300,000 Cloudflare requests might have caused leakage. As Cloudflare notes , that\u2019s just 0.00003% of requests.<\/p>\n